HTTP Data tampering

Posted on October 13, 2011

0


This tutorial is related to the previous Bypass an IP camera AXIS’ authentication tutorial. I already gave a brief description of the use of nmap now I’m going to talk about data tampering in HTTP communications. Before diving into the topic, it is important to understand how the data is carried when you request a web page.

HTTP protocol

Most of the time you are using the HTTP protocol (or the HTTPS protocol) when you want to watch websites. Browsers (Firefox, Chrome, etc) are applications that use this protocol to communicate with web servers (apache, IIS, etc.)  and interpret HTML, CSS with JavaScript.

Communication

Whenever you type a URL, click on a link, send a form (or execute an AJAX execution), your browser send an HTTP request with different options to the web server that host the website (this could actually be a little bit more complicate with proxy or CDN like Akamai). When the web server get the HTTP request, it communicates with the backend systems (database, php, etc) and forges an HTTP response header together with the file requested, most of the time an HTML page. Once created, it sends the file to you. Your browser interpreted the page and render it.

HTTP request doesn’t have to be built from a browser, it’s possible to forge your own one, with telnet or netcat (soon, a tutorial about it) :

Tosch:~ Tosch$ telnet toschprod.wordpress.com 80
Trying 76.74.254.123...
Connected to lb.wordpress.com.
Escape character is '^]'.
GET / HTTP/1.1
Host: toschprod.wordpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9) Gecko/2008052906 Firefox/3.0

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 13 Oct 2011 02:14:08 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
...

HTTP request

Here is a common HTTP request:

GET /index.php HTTP/1.1
Host: toschprod.wordpress.com
Connection: close
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9) Gecko/2008052906 Firefox/3.0
Accept-Encoding: gzip
Accept-Charset: ISO-8859-1,UTF-8;q=0.7,*;q=0.7
Cache-Control: no-cache
Accept-Language: de,en;q=0.7,en-us;q=0.3
Referer: http://web-sniffer.net/

The first line is the request, in this case, it request the resource called index.php (the slash character is a shortcut for index files) on the server located at toschprod.wordpress.com. The information below the request is the header. There are two main requests possible, GET and POST. POST is (most of the time) the request when you send a form, GET is for the other uses (when you click on a link or type a URL). The HTTP request header contains several options but the most interesting is Cookie, an HTTP cookie previously sent by the server with Set-Cookie.

There are two main ways to send data with HTTP, the first one is via the URL. Sometime you can see: http://www.your-website.com/page.php?var1=value1&var2=value2. In the backend system, it is possible to get the values of the variables with GET["var1"] and GET["var2"] (in PHP). Those values are easy to edit just by modifying the URL. The other way to send data is via a form. I this case, when you fill a form and sent it, the data is included in the body of the request, so it is a little more tricky to edit (tamper) the data.

Data tampering

Tampering data, in HTTP communication, is the act of modifying data of the HTTP request (or response) before the recipient read it. Different tools can help you in this task. The first I would recommend is the Firefox add-on Tamper Data. The second is Burp Suite, a suit of different tools for web application security analysis. Firebug is an other Firefox add-on for web developer but it can also be used for tampering data.

Tamper data

Tamper Data is an easy to use add-on for Firefox dedicated to tampering data. It capture every HTTP requests/responses. When you start tampering, it blocks each HTTP request, ask you if either you want to tamper the data or just submit the request. If you want to tamper, Tamper Data parses the HTTP request and create a form where you can edit each parameter of the HTTP request.

Install

You need to use Firefox and install the add-on from this page. You will have to restart Firefox.

How to use tamper data

In Firefox, in the Tools menu, open Tamper Data. The default windows is Ongoing Requests. It lists all HTTP requests/responses captured with useful information:

  • Time – When the request happened.
  • Duration – How long it took to be retrieved.
  • Total Duration – How long it took to render (includes response download time of item and all sub-items)
  • Size – Size of received content (-1 indicates the item was loaded from the cache)
  • Method – The HTTP method issued (GET or POST)
  • Status – HTTP Status code received or “Loaded from cache”
  • Content Type – Type of data received (aka Mime-Type)
  • URL – Fully qualified URL of request.
  • Load Flags – Additional HTTP information used in retrieving or rendering content.

(Source)

The two frames below give more information about the list. If you select an HTTP request, it will give the entire HTTP request header in the left frame, and the entire HTTP response header in the right frame.

This capture mode is for packet analysis. If you want to start tampering data, you will have to click Start Tamper (just above the list), then for each HTTP request, you will be able to drop, modify or tamper the data. Here is three scenarios of how to use Tamper Data:

My password: Let say I use Firefox to store my password (bad)  because I can’t remember it, and one day, I would like to know what is the password because I need to use an other computer. I can’t check the source code of the login page because the form is filled after rendering by Firefox and I can’t neither copy past, I will just get “•” chars. A way to get the password in plain text is to read the HTTP request. When you click the login, Firefox will creates an HTTP request POST with the content of the form in plain text. Start Tampering with Tamper Data, click on the login button, Tamper Data will ask you if you want to submit or tamper. Select tamper, a new window will come up with the HTTP request in the left frame and the form data (post parameters) in the right frame.

Creating my own Facebook post URL: Whenever you write a status that contains a URL, Facebook will automatically retrieve an image, the title of the page and give a description related to this URL. What if the description or the title doesn’t fit with what you want to say, it is possible by tampering the data to modify it. Write your status, with a URL. Just before clicking on Post, start tamper.

Edit the value of description (or summary), image, or title with the text/image URL you want. (Thanks noktec who found this trick)

[EDIT: This doesn’t seems to work anymore, I will try to have a look later on to check what’s the problem]

Session hijacking: As mentioned previously, the option cookies is set by the previous HTTP response Set-cookie. If you find a way to get this value from someone else, you could forge your own HTTP request and steal the session. Most of the time hackers use XSS vulnerability to get the cookie value.

Firebug

Firebug is a tool used by web developers to analyse and modify HTML in real-time (and much more). This tool can be used to modify form elements. This won’t tamper the HTTP request but change parameters that Firefox will use to forge the HTTP request as you want (Cfr. Bypass an IP camera AXIS’ authentication).

Conclusion

HTTP data tampering is easy to do. Now, you just need to find a vulnerability to exploit which is much more complicate. I recommend you to try few hacking challenge like Hac Me Game to use these techniques through few challenges.

Advertisements
Posted in: Tutorials